Logo
Retour à la veille

CVE-2026-53818

Publié : 11 juin 2026
Modifié : 11 juin 2026
Lien officiel NVD
Score CVSS
6.6
MEDIUM

Description détaillée

OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when the feature is enabled and reachable.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Références et Patchs

https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4hhttps://www.vulncheck.com/advisories/openclaw-owner-only-tool-policy-bypass-via-mcp-loopback

Dernières Vulnérabilités

CVE-2026-49482

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #141, ClipBucket v5 contains an improper neutralization of SQL wildcard characters in the subtitle editing endpoint. An authenticated user can send a % character as the number parameter to overwrite all subtitle titles of any video they own in a single HTTP request. This issue has been patched in version 5.5.3 - #141.

VOIR DÉTAILS

CVE-2026-10676

Rejected reason: This CVE Record has been rejected by the Zephyr Project CNA. Subsequent analysis determined that the addressed defect is not reachable in any released version of Zephyr: on every supported release branch the affected value is corrected before it is used, and the change that exposes the defect exists only in unreleased development code. As no released version is affected, this identifier is withdrawn.

VOIR DÉTAILS

CVE-2026-47238

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #133, a normal authenticated user can edit another user's video subtitles because of a lack of authorization. They can upload subtitles, edit their name or delete them. This issue has been patched in version 5.5.3 - #133.

VOIR DÉTAILS